Revoke authentication tokens when a user is deleted

author Tom Hughes <tom@compton.nu>

Fri, 23 Dec 2022 16:24:10 +0000 (16:24 +0000)

committer Tom Hughes <tom@compton.nu>

Fri, 23 Dec 2022 16:24:10 +0000 (16:24 +0000)
author Tom Hughes <tom@compton.nu>
Fri, 23 Dec 2022 16:24:10 +0000 (16:24 +0000)
committer Tom Hughes <tom@compton.nu>
Fri, 23 Dec 2022 16:24:10 +0000 (16:24 +0000)
diff --git a/app/models/user.rb b/app/models/user.rb

index d7bfb223541a24d2f68d33c4b7e50b7bd418a08b..c809b619294732038c97558423b349fe2050212c 100644 (file)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -210,6 +210,7 @@ class User < ApplicationRecord
      # Mark the account as deleted and remove personal data
      event :soft_destroy do
        before do
+        revoke_authentication_tokens
          remove_personal_data
        end
  
@@ -299,6 +300,13 @@ class User < ApplicationRecord
      blocks.active.detect(&:needs_view?)
    end
  
+  ##
+  # revoke any authentication tokens
+  def revoke_authentication_tokens
+    oauth_tokens.authorized.each(&:invalidate!)
+    access_tokens.not_expired.each(&:revoke)
+  end
+
    ##
    # remove personal data - leave the account but purge most personal data
    def remove_personal_data
author	Tom Hughes <tom@compton.nu>
	Fri, 23 Dec 2022 16:24:10 +0000 (16:24 +0000)
committer	Tom Hughes <tom@compton.nu>
	Fri, 23 Dec 2022 16:24:10 +0000 (16:24 +0000)